Adjust EVP_PKEY_CTRL_HKDF_KEY to OpenSSL's semantics

For some reason there is no NULL check on setting the HKDF key for p2 like
in the other cases in the switch, instead OpenSSL fail in memdup, nulling
out the key but leaving he key_len at the old value. This looks accidental
but our behavior makes some haproxy regress tests segfault. So mimic weird
OpenSSL semantics but in addition set the key_len to 0.

Reported by Ilya Shipitsin

ok jsing

diff --git a/lib/libcrypto/kdf/hkdf_evp.c b/lib/libcrypto/kdf/hkdf_evp.c
index 992c66a..b33e2e0 100644 (file)
--- a/lib/libcrypto/kdf/hkdf_evp.c
+++ b/lib/libcrypto/kdf/hkdf_evp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: hkdf_evp.c,v 1.19 2022/11/26 16:08:53 tb Exp $ */
+/*     $OpenBSD: hkdf_evp.c,v 1.20 2023/06/26 08:57:17 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2016-2018 The OpenSSL Project.  All rights reserved.
  *
@@ -129,10 +129,17 @@ pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                return 1;
 
        case EVP_PKEY_CTRL_HKDF_KEY:
-               if (p1 <= 0)
+               if (p1 < 0)
                        return 0;
 
                freezero(kctx->key, kctx->key_len);
+               kctx->key = NULL;
+               kctx->key_len = 0;
+
+               /* Match OpenSSL's behavior. */
+               if (p1 == 0 || p2 == NULL)
+                       return 0;
+
                if ((kctx->key = malloc(p1)) == NULL)
                        return 0;
                memcpy(kctx->key, p2, p1);